#VU36249 Arbitrary file upload in Vtiger CRM - CVE-2019-5009

Cybersecurity Help s.r.o.

Published: 2019-01-04 | Updated: 2020-08-08

Vulnerability identifier: #VU36249

Vulnerability risk: Medium

CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2019-5009

CWE-ID: CWE-434

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Vtiger CRM
Other software / Other software solutions

Vendor: Vtiger

Description

The vulnerability allows a remote privileged user to execute arbitrary code.

Vtiger CRM 7.1.0 before Hotfix2 allows uploading files with the extension "php3" in the logo upload field, if the uploaded file is in PNG format and has a size of 150x40. One can put PHP code into the image; PHP code can be executed using "<? ?>" tags, as demonstrated by a CompanyDetailsSave action. This bypasses the bad-file-extensions protection mechanism. It is related to actions/CompanyDetailsSave.php, actions/UpdateCompanyLogo.php, and models/CompanyDetails.php.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Vtiger CRM: 7.1.0

External links
https://code.vtiger.com/vtiger/vtigercrm/commit/52fc2fb520ddc55949c2fbedaabd61ddd0109375
https://lists.vtigercrm.com/pipermail/vtigercrm-developers/2019-January/037852.html
https://pentest.com.tr/exploits/Vtiger-CRM-7-1-0-Remote-Code-Execution.html
https://www.exploit-db.com/exploits/46065

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Vtiger CRM